Region: Americas
Year: 2015
Court: Ontario Court of Appeal
Health Topics: Health information, Hospitals
Human Rights: Right to privacy
Tags: Confidentiality, Disclosure, Electronic health information, Electronic health records, Health data, Health records, Medical records, Public hospitals
A class of approximately 280 individuals whose medical records were improperly accessed by hospital staff filed suit against the hospital employees. The class alleged that the breaches the staff caused and the hospital’s failure to monitor and implement policies to protect the information led to a breach under the common law tort of intrusion upon seclusion and their right to privacy. Individually, one of the victims was concerned that her abusive ex-husband had accessed the records and posed a threat to her well being.
The hospital employees sought to dismiss the action on the basis that Ontario’s Personal Health Information Protection Act (the “Act”) prevented common law claims for invasion of privacy rights from being brought before the Ontario Superior Court. The lower court dismissed the summary motion, finding that it was not clear that a common law claim would fail, and the hospital employees appealed.
The Court struck down the appeal, holding that the Act’s language did not demonstrate legislative intent to create an exhaustive code for governing personal health information and that the claim of intrusion upon seclusion could proceed to trial.
The Court assessed the Act according to three considerations: whether the process for dispute resolution contemplated by the Act consisted of clauses demonstrating exclusive jurisdiction; whether the essential nature of the dispute could be captured by the rights and obligations formed by the overall scheme of the legislation; and whether the scheme could provide an effective form of redress for infractions.
The Court found that the Act was not exhaustive. It provided a comprehensive set of rules regarding how personal health information could be collected, used, or disclosed across Ontario's health care system, but included provisions which provided Ontario’s Information and Privacy Commissioner’s broad and informal discretionary review powers. These powers were tailored to systemic rather than individual claims. Additionally, the Act expressly contemplated proceedings brought through alternative proceedings in section 57(4)(b), as well as a limited role in section 65, due to the Commissioner’s inability to award damages without first applying to the Ontario Superior Court. The Court also determined that the common law claim’s increased stringency would not undermine the Act, and that individual complaints may not otherwise achieve effective redress. As a result, there was no basis to exclude the jurisdiction of the Superior Court from entertaining a common law claim for intrusion upon seclusion.
“While PHIPA does contain a very exhaustive set of rules and standards for custodians of personal health information, details regarding the procedure or mechanism for the resolution of disputes are sparse. At para. 28 of the Commissioner's factum, the review process is described as ‘inquisitorial in nature’. The Act essentially leaves the procedure to be followed to the discretion of the Commissioner. Reviews are generally conducted in writing. There is no requirement to hold an oral hearing, and therefore the fundamental features of an adversarial system, such as cross-examination, are absent. The Act gives complainants no procedural entitlements beyond the right to make representations.” Para. 37.
“The elements of the common law tort … require a plaintiff to establish (1) intentional or reckless conduct by the defendant, (2) that the defendant invaded, without lawful justification, the plaintiff's private affairs or concerns and (3) that a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish. The first and third elements of the common law claim represent significant hurdles not required to prove a breach of PHIPA.” Para. 48.